Bug 1125339 - firefox segfaults on linked motherboard.vice.com URL
Summary: firefox segfaults on linked motherboard.vice.com URL
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL: http://motherboard.vice.com/read/the-...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 15:18 UTC by John Sullivan
Modified: 2015-06-29 21:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-29 21:52:48 UTC


Attachments (Terms of Use)

Description John Sullivan 2014-07-31 15:18:03 UTC
The above URL was linked from the latest RISKS digest at:

http://catless.ncl.ac.uk/Risks/28.11.html#subj3

Steps:

1) Create a new, empty, profile with "firefox -ProfileManager -no-remote" and start it.
2) Visit the above URL
3) Wait. Maybe scroll around a bit. Click or drag on the images. Alt-Tab away to another window and back. Basically pointless random activity. I've no idea whether that speeds up the crash or not, which generally happens within a minute or so, but it makes me feel better while waiting.

Versions:

firefox-31.0-1.fc20.x86_64
libdrm-2.4.54-1.fc20.x86_64
mesa-dri-drivers-10.1.5-1.20140607.fc20.x86_64

My graphics card reports as:

kernel: nouveau  [  DEVICE][0000:0f:00.0] Chipset: G72 (NV46)

[    34.152] (--) NOUVEAU(0): Chipset: "NVIDIA NV46"

0f:00.0 0300: 10de:01d3 (rev a1) (prog-if 00 [VGA controller])
        Subsystem: 1458:3470

0f:00.0 VGA compatible controller: NVIDIA Corporation G72 [GeForce 7200 GS / 7300 SE] (rev a1) (prog-if 00 [VGA controller])
        Subsystem: Gigabyte Technology Co., Ltd Device 3470

One of the crashes I saw involved the mesa dri driver, however I suspect that might be a red herring and the problem is actually in the JS JIT smashing memory. Backtraces to follow...

Comment 1 John Sullivan 2014-07-31 15:18:56 UTC
First backtrace:

(gdb) bt
#0  PatchJump (label=..., jump=...) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/x64/Assembler-x64.h:716
#1  js::jit::JitRuntime::patchIonBackedges (this=<optimized out>, rt=<optimized out>, target=target@entry=js::jit::JitRuntime::BackedgeLoopHeader)
    at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/Ion.cpp:412
#2  0x00007fbd5fbb0190 in InterruptCheck (cx=0x7fbd6158c980) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:523
#3  js::jit::CheckOverRecursedWithExtra (cx=0x7fbd6158c980, frame=<optimized out>, extra=<optimized out>, earlyCheck=<optimized out>)
    at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:177
#4  0x00007fbd616555aa in ?? ()
#5  0x00007fff7b40f2f8 in ?? ()
#6  0x00007fff7b40f2a0 in ?? ()
#7  0x00007fbd61247120 in DebugPrologueInfo () from /usr/lib64/firefox/libxul.so
#8  0x00007fbd53634940 in ?? ()
#9  0x00007fbd3941a2a9 in ?? ()
#10 0x0000000000000881 in ?? ()
#11 0x00007fff7b40f300 in ?? ()
#12 0x0000000000000000 in ?? ()
(gdb) info reg
rax            0x7fbd29cdfa3a	140450426911290
rbx            0x7fbd26156c00	140450364484608
rcx            0xfffffffffffffe4f	-433
rdx            0xfffffffffffffe4f	-433
rsi            0x7fbd29cdf889	140450426910857
rdi            0x7fbd29cdff18	140450426912536
rbp            0x7fbd6154cd38	0x7fbd6154cd38
rsp            0x7fff7b40f230	0x7fff7b40f230
r8             0x7fbd37dc40c0	140450662727872
r9             0x0	0
r10            0x7fff7b40f2c0	140735261242048
r11            0x7fbd55833130	140451160207664
r12            0x1	1
r13            0x7fff7b40fb30	140735261244208
r14            0x203	515
r15            0x7fbd6158c980	140451358755200
rip            0x7fbd5fadb533	0x7fbd5fadb533 <js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)+211>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) print $_siginfo
$1 = {si_signo = 11, si_errno = 0, si_code = 2, _sifields = {_pad = {701364790, 32701, 36171664, 0, -1611239392, 32657, -1598469472, 32657, 7, 1, 37341680, 0, 0, 0, 6063689, 0, 20087808, 0, 12289888, 48, 
      4080, 0, 0, 0, 0, 0, 0, 0}, _kill = {si_pid = 701364790, si_uid = 32701}, _timer = {si_tid = 701364790, si_overrun = 32701, si_sigval = {sival_int = 36171664, sival_ptr = 0x227ef90}}, _rt = {
      si_pid = 701364790, si_uid = 32701, si_sigval = {sival_int = 36171664, sival_ptr = 0x227ef90}}, _sigchld = {si_pid = 701364790, si_uid = 32701, si_status = 36171664, si_utime = -6920220494666924032, 
      si_stime = -6865374105894355055}, _sigfault = {si_addr = 0x7fbd29cdfa36}, _sigpoll = {si_band = 140450426911286, si_fd = 36171664}}}

Comment 2 John Sullivan 2014-07-31 15:21:11 UTC
Second backtrace, in the nouveau dri driver. As can be seen, the entire nv30_context structure looks completely smashed with 'Z' bytes.

(gdb) bt
#0  nouveau_fence_next (screen=screen@entry=0x5a5a5a5a5a5a5a5a) at nouveau_fence.c:226
#1  0x00007fb7aff72dd4 in nv30_context_kick_notify (push=0x7fb7cd268e20) at nv30/nv30_context.c:47
#2  0x00007fb7afa0544c in pushbuf_submit (push=push@entry=0x7fb7cd268e20, chan=<optimized out>, chan=<optimized out>) at pushbuf.c:325
#3  0x00007fb7afa056fe in pushbuf_flush (push=push@entry=0x7fb7cd268e20) at pushbuf.c:402
#4  0x00007fb7afa061e0 in nouveau_pushbuf_kick (push=push@entry=0x7fb7cd268e20, chan=<optimized out>) at pushbuf.c:774
#5  0x00007fb7aff72f13 in PUSH_KICK (push=0x7fb7cd268e20) at ./nouveau_winsys.h:56
#6  nv30_context_flush (pipe=0x7fb7b9cc5000, fence=<optimized out>, flags=<optimized out>) at nv30/nv30_context.c:81
#7  0x00007fb7afd6f014 in st_glFlush (ctx=<optimized out>) at state_tracker/st_cb_flush.c:121
#8  0x00007fb7afc78baa in _mesa_make_current (newCtx=newCtx@entry=0x0, drawBuffer=drawBuffer@entry=0x0, readBuffer=readBuffer@entry=0x0) at main/context.c:1503
#9  0x00007fb7afd95ea3 in st_api_make_current (stapi=<optimized out>, stctxi=0x0, stdrawi=0x0, streadi=0x0) at state_tracker/st_manager.c:746
#10 0x00007fb7aff5abef in dri_unbind_context (cPriv=<optimized out>) at dri_context.c:215
#11 0x00007fb7afc5660d in driUnbindContext (pcp=0x7fb7a2a2d340) at dri_util.c:578
#12 0x000000300601c60d in MakeContextCurrent (dpy=0x7fb7dc4db000, draw=0, read=0, gc_user=0x0) at glxcurrent.c:245
#13 0x00007fb7d98c6dfe in mozilla::gl::GLContextGLX::~GLContextGLX (this=0x7fb79e75f800, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/gfx/gl/GLContextProviderGLX.cpp:836
#14 0x00007fb7d98c6e57 in mozilla::gl::GLContextGLX::~GLContextGLX (this=0x7fb79e75f800, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/gfx/gl/GLContextProviderGLX.cpp:845
#15 0x00007fb7da0772a6 in assign_with_AddRef (rawPtr=0x0, this=0x7fb79fd98c80) at ../../../dist/include/nsAutoPtr.h:866
#16 operator= (rhs=0x0, this=0x7fb79fd98c80) at ../../../dist/include/nsAutoPtr.h:964
#17 mozilla::WebGLContext::DestroyResourcesAndContext (this=this@entry=0x7fb79fd98c00) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGLContext.cpp:284
#18 0x00007fb7da077302 in mozilla::WebGLContext::~WebGLContext (this=0x7fb79fd98c00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGLContext.cpp:203
#19 0x00007fb7da07483d in mozilla::WebGL1Context::~WebGL1Context (this=0x7fb79fd98c00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGL1Context.cpp:25
#20 0x00007fb7d9455f42 in SnowWhiteKiller::~SnowWhiteKiller (this=0x7fff0ccff1a0, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:2403
#21 0x00007fb7d9456006 in nsCycleCollector::FreeSnowWhite (this=0x7fb7d1c8e000, aUntilNoSWInPurpleBuffer=aUntilNoSWInPurpleBuffer@entry=false)
    at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:2568
#22 0x00007fb7d9456669 in nsCycleCollector_doDeferredDeletion () at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:3846
#23 0x00007fb7d9d82377 in AsyncFreeSnowWhite::Run (this=0x7fb7d06bf7a0) at /usr/src/debug/firefox-31.0/mozilla-release/js/xpconnect/src/XPCJSRuntime.cpp:211
#24 0x00007fb7d9486811 in nsThread::ProcessNextEvent (this=0x7fb7dc4e9b60, mayWait=<optimized out>, result=0x7fff0ccff2c7) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/threads/nsThread.cpp:715
#25 0x00007fb7d944020f in NS_ProcessNextEvent (thread=<optimized out>, mayWait=mayWait@entry=false) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/glue/nsThreadUtils.cpp:263
#26 0x00007fb7d963bb1b in mozilla::ipc::MessagePump::Run (this=0x7fb7d1c35700, aDelegate=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/glue/MessagePump.cpp:95
#27 0x00007fb7d962c57b in RunHandler (this=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/chromium/src/base/message_loop.cc:222
#28 MessageLoop::Run (this=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/chromium/src/base/message_loop.cc:196
#29 0x00007fb7d9d3f9cb in nsBaseAppShell::Run (this=0x7fb7cd65e080) at /usr/src/debug/firefox-31.0/mozilla-release/widget/xpwidgets/nsBaseAppShell.cpp:164
#30 0x00007fb7da69292a in nsAppStartup::Run (this=0x7fb7cd6600b0) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/components/startup/nsAppStartup.cpp:278
#31 0x00007fb7da662a04 in XREMain::XRE_mainRun (this=this@entry=0x7fff0ccff580) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4019
#32 0x00007fb7da662ca2 in XREMain::XRE_main (this=this@entry=0x7fff0ccff580, argc=argc@entry=3, argv=argv@entry=0x7fff0cd00a88, aAppData=aAppData@entry=0x7fff0ccff780)
    at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4088
#33 0x00007fb7da662f04 in XRE_main (argc=3, argv=0x7fff0cd00a88, aAppData=0x7fff0ccff780, aFlags=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4300
#34 0x000000000040408d in do_main (argc=argc@entry=3, argv=argv@entry=0x7fff0cd00a88, xreDirectory=0x7fb7dc4386c0) at /usr/src/debug/firefox-31.0/mozilla-release/browser/app/nsBrowserApp.cpp:282
#35 0x000000000040382f in main (argc=3, argv=0x7fff0cd00a88) at /usr/src/debug/firefox-31.0/mozilla-release/browser/app/nsBrowserApp.cpp:643
(gdb) print $_siginfo
$1 = {si_signo = 11, si_errno = 0, si_code = 128, _sifields = {_pad = {0, 0, 185973016, 0, 190245328, 0, 190953880, 0, 7, 1, 186547040, 0, 0, 0, 6063689, 0, 51078144, 0, 12289888, 48, 4080, 0, 0, 0, 0, 0, 0, 
      0}, _kill = {si_pid = 0, si_uid = 0}, _timer = {si_tid = 0, si_overrun = 0, si_sigval = {sival_int = 185973016, sival_ptr = 0xb15b918}}, _rt = {si_pid = 0, si_uid = 0, si_sigval = {
        sival_int = 185973016, sival_ptr = 0xb15b918}}, _sigchld = {si_pid = 0, si_uid = 0, si_status = 185973016, si_utime = 817097461976793088, si_stime = 820140669644308480}, _sigfault = {si_addr = 0x0}, 
    _sigpoll = {si_band = 0, si_fd = 185973016}}}
(gdb) info reg
rax            0x7fb7ab476308	140426829325064
rbx            0x5a5a5a5a5a5a5a5a	6510615555426900570
rcx            0x0	0
rdx            0x7fb7c07acf60	140427185016672
rsi            0x80000001	2147483649
rdi            0x5a5a5a5a5a5a5a5a	6510615555426900570
rbp            0x5a5a5a5a5a5a5b4a	0x5a5a5a5a5a5a5b4a
rsp            0x7fff0ccfede0	0x7fff0ccfede0
r8             0x30062687e0	206261618656
r9             0x0	0
r10            0x7fb7dc5490d0	140427652272336
r11            0x7fb7dc5494c8	140427652273352
r12            0x7fb7cd268d70	140427397598576
r13            0x5a5a5a5a5a5a5a5a	6510615555426900570
r14            0x7fb7cd268e20	140427397598752
r15            0x3006268400	206261617664
rip            0x7fb7aff69f10	0x7fb7aff69f10 <nouveau_fence_next+16>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) list
221	}
222	
223	void
224	nouveau_fence_next(struct nouveau_screen *screen)
225	{
226	   if (screen->fence.current->state < NOUVEAU_FENCE_STATE_EMITTING)
227	      nouveau_fence_emit(screen->fence.current);
228	
229	   nouveau_fence_ref(NULL, &screen->fence.current);
230	
(gdb) disas
Dump of assembler code for function nouveau_fence_next:
   0x00007fb7aff69f00 <+0>:	push   rbp
   0x00007fb7aff69f01 <+1>:	push   rbx
   0x00007fb7aff69f02 <+2>:	mov    rbx,rdi
   0x00007fb7aff69f05 <+5>:	lea    rbp,[rbx+0xf0]
   0x00007fb7aff69f0c <+12>:	sub    rsp,0x8
=> 0x00007fb7aff69f10 <+16>:	mov    rdi,QWORD PTR [rdi+0xf0]
   0x00007fb7aff69f17 <+23>:	mov    eax,DWORD PTR [rdi+0x10]
   0x00007fb7aff69f1a <+26>:	test   eax,eax
   0x00007fb7aff69f1c <+28>:	jle    0x7fb7aff69f50 <nouveau_fence_next+80>
   0x00007fb7aff69f1e <+30>:	sub    DWORD PTR [rdi+0x14],0x1
(gdb) up
#1  0x00007fb7aff72dd4 in nv30_context_kick_notify (push=0x7fb7cd268e20) at nv30/nv30_context.c:47
47	   nouveau_fence_next(screen);
(gdb) list nv30_context_kick_notify
36	static void
37	nv30_context_kick_notify(struct nouveau_pushbuf *push)
38	{
39	   struct nouveau_screen *screen;
40	   struct nv30_context *nv30;
41	
42	   if (!push->user_priv)
43	      return;
44	   nv30 = container_of(push->user_priv, nv30, bufctx);
45	   screen = &nv30->screen->base;
46	
47	   nouveau_fence_next(screen);
48	   nouveau_fence_update(screen, TRUE);
(gdb) print push.user_priv
$9 = (void *) 0x7fb7ab476308
(gdb) print &((struct nv30_context*)0x7fb7ab476000).bufctx
$14 = (struct nouveau_bufctx **) 0x7fb7ab476308
(gdb) print *(struct nv30_context*)0x7fb7ab476000
$13 = {base = {pipe = {screen = 0x5a5a5a5a5a5a5a5a, priv = 0x5a5a5a5a5a5a5a5a, draw = 0x5a5a5a5a5a5a5a5a, destroy = 0x5a5a5a5a5a5a5a5a, draw_vbo = 0x5a5a5a5a5a5a5a5a, render_condition = 0x5a5a5a5a5a5a5a5a, 
      create_query = 0x5a5a5a5a5a5a5a5a, destroy_query = 0x5a5a5a5a5a5a5a5a, begin_query = 0x5a5a5a5a5a5a5a5a, end_query = 0x5a5a5a5a5a5a5a5a, get_query_result = 0x5a5a5a5a5a5a5a5a, create_blend_state = 
    0x5a5a5a5a5a5a5a5a, bind_blend_state = 0x5a5a5a5a5a5a5a5a, delete_blend_state = 0x5a5a5a5a5a5a5a5a, create_sampler_state = 0x5a5a5a5a5a5a5a5a, bind_sampler_states = 0x5a5a5a5a5a5a5a5a, 
      delete_sampler_state = 0x5a5a5a5a5a5a5a5a, create_rasterizer_state = 0x5a5a5a5a5a5a5a5a, bind_rasterizer_state = 0x5a5a5a5a5a5a5a5a, delete_rasterizer_state = 0x5a5a5a5a5a5a5a5a, 
      create_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, bind_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, delete_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, create_fs_state = 0x5a5a5a5a5a5a5a5a, 
      bind_fs_state = 0x5a5a5a5a5a5a5a5a, delete_fs_state = 0x5a5a5a5a5a5a5a5a, create_vs_state = 0x5a5a5a5a5a5a5a5a, bind_vs_state = 0x5a5a5a5a5a5a5a5a, delete_vs_state = 0x5a5a5a5a5a5a5a5a, 
      create_gs_state = 0x5a5a5a5a5a5a5a5a, bind_gs_state = 0x5a5a5a5a5a5a5a5a, delete_gs_state = 0x5a5a5a5a5a5a5a5a, create_vertex_elements_state = 0x5a5a5a5a5a5a5a5a, bind_vertex_elements_state = 
    0x5a5a5a5a5a5a5a5a, delete_vertex_elements_state = 0x5a5a5a5a5a5a5a5a, set_blend_color = 0x5a5a5a5a5a5a5a5a, set_stencil_ref = 0x5a5a5a5a5a5a5a5a, set_sample_mask = 0x5a5a5a5a5a5a5a5a, set_clip_state = 
    0x5a5a5a5a5a5a5a5a, set_constant_buffer = 0x5a5a5a5a5a5a5a5a, set_framebuffer_state = 0x5a5a5a5a5a5a5a5a, set_polygon_stipple = 0x5a5a5a5a5a5a5a5a, set_scissor_states = 0x5a5a5a5a5a5a5a5a, 
      set_viewport_states = 0x5a5a5a5a5a5a5a5a, set_sampler_views = 0x5a5a5a5a5a5a5a5a, set_shader_resources = 0x5a5a5a5a5a5a5a5a, set_vertex_buffers = 0x5a5a5a5a5a5a5a5a, set_index_buffer = 
    0x5a5a5a5a5a5a5a5a, create_stream_output_target = 0x5a5a5a5a5a5a5a5a, stream_output_target_destroy = 0x5a5a5a5a5a5a5a5a, set_stream_output_targets = 0x5a5a5a5a5a5a5a5a, resource_copy_region = 
    0x5a5a5a5a5a5a5a5a, blit = 0x5a5a5a5a5a5a5a5a, clear = 0x5a5a5a5a5a5a5a5a, clear_render_target = 0x5a5a5a5a5a5a5a5a, clear_depth_stencil = 0x5a5a5a5a5a5a5a5a, flush = 0x5a5a5a5a5a5a5a5a, 
      create_sampler_view = 0x5a5a5a5a5a5a5a5a, sampler_view_destroy = 0x5a5a5a5a5a5a5a5a, create_surface = 0x5a5a5a5a5a5a5a5a, surface_destroy = 0x5a5a5a5a5a5a5a5a, transfer_map = 0x5a5a5a5a5a5a5a5a, 
      transfer_flush_region = 0x5a5a5a5a5a5a5a5a, transfer_unmap = 0x5a5a5a5a5a5a5a5a, transfer_inline_write = 0x5a5a5a5a5a5a5a5a, texture_barrier = 0x5a5a5a5a5a5a5a5a, create_video_codec = 
    0x5a5a5a5a5a5a5a5a, create_video_buffer = 0x5a5a5a5a5a5a5a5a, create_compute_state = 0x5a5a5a5a5a5a5a5a, bind_compute_state = 0x5a5a5a5a5a5a5a5a, delete_compute_state = 0x5a5a5a5a5a5a5a5a, 
      set_compute_resources = 0x5a5a5a5a5a5a5a5a, set_global_binding = 0x5a5a5a5a5a5a5a5a, launch_grid = 0x5a5a5a5a5a5a5a5a, get_sample_position = 0x5a5a5a5a5a5a5a5a, flush_resource = 0x5a5a5a5a5a5a5a5a}, 
    screen = 0x5a5a5a5a5a5a5a5a, client = 0x5a5a5a5a5a5a5a5a, pushbuf = 0x5a5a5a5a5a5a5a5a, vbo_dirty = 90 'Z', cb_dirty = 90 'Z', copy_data = 0x5a5a5a5a5a5a5a5a, push_data = 0x5a5a5a5a5a5a5a5a, push_cb = 
    0x5a5a5a5a5a5a5a5a, invalidate_resource_storage = 0x5a5a5a5a5a5a5a5a, scratch = {map = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, id = 1515870810, wrap = 1515870810, 
      offset = 1515870810, end = 1515870810, bo = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a}, current = 0x5a5a5a5a5a5a5a5a, runout = 0x5a5a5a5a5a5a5a5a, 
      nr_runout = 1515870810, bo_size = 1515870810}, stats = {buf_cache_count = 1515870810, buf_cache_frame = 1515870810}}, screen = 0x5a5a5a5a5a5a5a5a, blitter = 0x5a5a5a5a5a5a5a5a, 
  bufctx = 0x5a5a5a5a5a5a5a5a, state = {rt_enable = 1515870810, scissor_off = 1515870810, num_vtxelts = 1515870810, prim_restart = 90 'Z', fragprog = 0x5a5a5a5a5a5a5a5a}, dirty = 1515870810, 
  draw = 0x5a5a5a5a5a5a5a5a, draw_flags = 1515870810, draw_dirty = 1515870810, blend = 0x5a5a5a5a5a5a5a5a, rast = 0x5a5a5a5a5a5a5a5a, zsa = 0x5a5a5a5a5a5a5a5a, vertex = 0x5a5a5a5a5a5a5a5a, config = {
    filter = 1515870810, aniso = 1515870810}, vertprog = {program = 0x5a5a5a5a5a5a5a5a, constbuf = 0x5a5a5a5a5a5a5a5a, constbuf_nr = 1515870810, textures = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, 
    num_textures = 1515870810, samplers = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_samplers = 1515870810, dirty_samplers = 1515870810}, fragprog = {program = 0x5a5a5a5a5a5a5a5a, 
    constbuf = 0x5a5a5a5a5a5a5a5a, constbuf_nr = 1515870810, textures = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_textures = 1515870810, samplers = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, 
    num_samplers = 1515870810, dirty_samplers = 1515870810}, framebuffer = {width = 1515870810, height = 1515870810, nr_cbufs = 1515870810, cbufs = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 
      0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a}, zsbuf = 0x5a5a5a5a5a5a5a5a}, blend_colour = {color = {1.53652219e+16, 
      1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}, stencil_ref = {ref_value = "ZZ"}, stipple = {stipple = {1515870810 <repeats 32 times>}}, scissor = {minx = 23130, miny = 23130, maxx = 23130, 
    maxy = 23130}, viewport = {scale = {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, translate = {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}, clip = {ucp = {{
        1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {
        1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {
        1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}}, sample_mask = 1515870810, vtxbuf = {{stride = 1515870810, 
      buffer_offset = 1515870810, buffer = 0x5a5a5a5a5a5a5a5a, user_buffer = 0x5a5a5a5a5a5a5a5a} <repeats 32 times>}, num_vtxbufs = 1515870810, idxbuf = {index_size = 1515870810, offset = 1515870810, 
    buffer = 0x5a5a5a5a5a5a5a5a, user_buffer = 0x5a5a5a5a5a5a5a5a}, vbo_fifo = 1515870810, vbo_user = 1515870810, vbo_min_index = 1515870810, vbo_max_index = 1515870810, vbo_push_hint = 90 'Z', 
  blit_vp = 0x5a5a5a5a5a5a5a5a, blit_fp = 0x5a5a5a5a5a5a5a5a, is_nv4x = 1515870810, use_nv4x = 1515870810, hw_pointsprite_control = 90, render_mode = (unknown: 1515870810), 
  render_cond_query = 0x5a5a5a5a5a5a5a5a, render_cond_mode = 1515870810, render_cond_cond = 90 'Z'}

/proc/<pid>/maps:

7fb7afa02000-7fb7afa08000 r-xp 00000000 08:02 29191777                   /usr/lib64/libdrm_nouveau.so.2.0.0
7fb7afc09000-7fb7b01d5000 r-xp 00000000 08:02 25854025                   /usr/lib64/dri/nouveau_dri.so

Comment 3 John Sullivan 2014-07-31 15:27:38 UTC
Third crash. I think this is attempting to execute some previously compiled JS, but apparently the target routine has no access permissions. (Whether that is because it didn't set it, or has removed it because that routine has been retired and shouldn't have been called any more, I can't say.)

Note that immediately before the target routine (the address at which we fault) is something that is obviously a pointer, then filled with 0x3b ';' bytes. It is that fill pattern that makes me suspect that the above nouveau crash had in fact been caused by the JS JIT mangling that area of memory.

The map containing the target routine is not mapped from a file (executable, shared library), which is what you'd expect from jitted code, and has no access permissions. (But is immediately followed by one that looks the same, but does have rwx permissions.)

(gdb) bt
#0  0x00007f6b19418768 in ?? ()
#1  0x00007f6b2152ad78 in ?? ()
#2  0x0000000000000202 in ?? ()
#3  0x00007f6b11114200 in ?? ()
#4  0x0000000000000001 in ?? ()
#5  0xfffbff6b11114180 in ?? ()
#6  0xfff880000000005a in ?? ()
#7  0x00007fffe15cd4b8 in ?? ()
#8  0x00007f6b0567ad88 in ?? ()
#9  0x00007f6b1eb58333 in ?? ()
#10 0x0000000000000701 in ?? ()
#11 0xfff880000000005a in ?? ()
#12 0xfffbff6b11114180 in ?? ()
#13 0xfffbff6b11114200 in ?? ()
#14 0xfff9000000000000 in ?? ()
#15 0xfffaff6b2f100ec0 in ?? ()
#16 0x00007fffe15cd410 in ?? ()
#17 0x00007f6b1bc9f600 in ?? ()
#18 0x00007f6a00000070 in ?? ()
#19 0x00007f6b111216a0 in ?? ()
#20 0x00007f6b3b9c46d9 in js::TypeOfObjectOperation (obj=<optimized out>, rt=0xfffbff6b11114200) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/vm/Interpreter-inl.h:460
#21 0x00007f6b19449473 in ?? ()
#22 0x0000000000000000 in ?? ()
(gdb) print $_siginfo
$1 = {si_signo = 11, si_errno = 0, si_code = 2, _sifields = {_pad = {423724904, 32619, 43724584, 0, 375668768, 32543, 375887720, 32543, 7, 1, 43789248, 0, 0, 0, 6063689, 0, 29172736, 0, 12289888, 48, 4080, 
      0, 0, 0, 0, 0, 0, 0}, _kill = {si_pid = 423724904, si_uid = 32619}, _timer = {si_tid = 423724904, si_overrun = 32619, si_sigval = {sival_int = 43724584, sival_ptr = 0x29b2f28}}, _rt = {
      si_pid = 423724904, si_uid = 32619, si_sigval = {sival_int = 43724584, sival_ptr = 0x29b2f28}}, _sigchld = {si_pid = 423724904, si_uid = 32619, si_status = 43724584, si_utime = 1613485072688611328, 
      si_stime = 1614425464368037663}, _sigfault = {si_addr = 0x7f6b19418768}, _sigpoll = {si_band = 140097961953128, si_fd = 43724584}}}
(gdb) info reg
rax            0x7f6b19418768	140097961953128
rbx            0xfffbff6b11114200	-1126539570626048
rcx            0x7fffe15cd4b8	140736974345400
rdx            0x202	514
rsi            0x7fffe15cd468	140736974345320
rdi            0x7f6b0567ad88	140097628908936
rbp            0x7fffe15cd430	0x7fffe15cd430
rsp            0x7fffe15cd400	0x7fffe15cd400
r8             0x0	0
r9             0x7fffe15cd1e0	140736974344672
r10            0x37	55
r11            0x701	1793
r12            0x0	0
r13            0x7fffe15cd968	140736974346600
r14            0x1	1
r15            0x0	0
rip            0x7f6b19418768	0x7f6b19418768
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

(gdb) disass 0x00007f6b2152ad58,0x00007f6b2152ad98
Dump of assembler code from 0x7f6b2152ad58 to 0x7f6b2152ad98:
   0x00007f6b2152ad58:	add    BYTE PTR [rax-0x3f],cl
   0x00007f6b2152ad5b:	loope  0x7f6b2152ad62
   0x00007f6b2152ad5d:	push   rcx
   0x00007f6b2152ad5e:	movabs r11,0x7f6b31333e10
   0x00007f6b2152ad68:	mov    rcx,QWORD PTR [r11]
   0x00007f6b2152ad6b:	add    rcx,QWORD PTR [rsp]
   0x00007f6b2152ad6f:	add    rsp,0x8
   0x00007f6b2152ad73:	mov    DWORD PTR [rcx+0x18],edx
   0x00007f6b2152ad76:	call   rax
   0x00007f6b2152ad78:	pop    r11
   0x00007f6b2152ad7a:	shr    r11,0x4
   0x00007f6b2152ad7e:	add    rsp,r11
   0x00007f6b2152ad81:	pop    rbp

(gdb) x/64gx 0x00007f6b19418700
0x7f6b19418700:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418710:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418720:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418730:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418740:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418750:	0x3b3b3b3b3b3b3b3b	0x3b3b3b3b3b3b3b3b
0x7f6b19418760:	0x00007f6afe2cbb50	0xe8c1482024448b48
0x7f6b19418770:	0x0f0001fff7f8812f	0x5c8b4c0000026985
0x7f6b19418780:	0xffffffffb8482024	0x48d8214c00007fff
0x7f6b19418790:	0x102468bb4908408b	0xd8394c00007f6b11
(gdb) disass 0x00007f6b19418768,0x00007f6b19418790
Dump of assembler code from 0x7f6b19418768 to 0x7f6b19418790:
=> 0x00007f6b19418768:	mov    rax,QWORD PTR [rsp+0x20]
   0x00007f6b1941876d:	shr    rax,0x2f
   0x00007f6b19418771:	cmp    eax,0x1fff7
   0x00007f6b19418777:	jne    0x7f6b194189e6
   0x00007f6b1941877d:	mov    r11,QWORD PTR [rsp+0x20]
   0x00007f6b19418782:	movabs rax,0x7fffffffffff
   0x00007f6b1941878c:	and    rax,r11
   0x00007f6b1941878f:	mov    rax,QWORD PTR [rax+0x8]

/proc/<pid>/maps:

7f6b1940d000-7f6b1941d000 ---p 00000000 00:00 0 
7f6b1941d000-7f6b1942d000 rwxp 00000000 00:00 0

Comment 4 John Sullivan 2014-07-31 15:41:34 UTC
Further note: when running under gdb, I can sometimes see a lot of SIGSEGV happening. Sometimes, when continued and left to it's own devices, firefox will continue running happily with no visible sign of any problem. Sometimes it exits to the crash reporter.

Comment 5 John Sullivan 2014-07-31 18:41:41 UTC
Hmm.

When I first clicked the link and for a while after it would crash pretty quickly. Now, not so much. It still does, but several page refreshes might be required. (This suggests that it's something in the dynamically inserted content causing the problem, perhaps one of the banners, which changes each page load.)

Running firefox with MOZ_CRASHREPORTER_DISABLE=1 set so I don't have to run it under gdb to get the backtrace shows that of 5 crashes, *all* have an identical backtrace to comment 2, in the nouveau/dri driver. And the nv30_context structure is almost always full of 0x5a 'Z' bytes, but on just one of them is full of zeroes instead. These bytes appear to start usually somewhat before the start of the structure, and carry on for well after the structure ends. Usually a bit more than a page worth before it looks like something else starts appearing over the top of them.

So I'm changing my mind: the other JS-related SEGVs are likely just how the JIT works (I can think of several things it could be doing by setting pages as no-access then using the signal handler to fix them up later). These are never a problem and never cause an actual firefox crash.

The real crashes are always caused by something nouveau/mesa/WebGL related.

Comment 6 Martin Stransky 2014-08-06 06:45:48 UTC
The 0x5a signature usually means that the memory is already freed by free() and filed with this pattern for debugging purpose. So I think it's really a bug in noveau.

Comment 7 bernhardu 2014-09-04 13:04:08 UTC
Only want to point to another bug report at Launchpad:
https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/1364522

At least the second backtrace seems equal to that one in comment 2, which
should be fixable by a little patch "nv30: avoid dangling references to deleted contexts" in the nouveau driver (in mesa 10.2.2).

Comment 8 Fedora End Of Life 2015-05-29 12:31:44 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Fedora End Of Life 2015-06-29 21:52:48 UTC
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.